You are not logged in.
Hello,
After a 5h fight with ldap via ssl, I want to share with you all the steps.
First you need to make ldap work without ssl, after that you can switch to ldaps by following the steps below.
Also, LDAPS must be enabled on your DC ( pdhewaju.com.np/2017/03/02/configuring-secure-ldap-connection-server-2016 )
1 - Export the "root ca" from certificat manager on your DC (Codage DER et format adds.cer).
2 - Upload the certificate to your server, In my case is a Ubuntu Server.
3 - Convert the certificat to .crt
""" openssl x509 -inform DER -in adds.cer -out adds.crt """
4 - Import certificat to local trust repo on your glpi server
""" sudo cp adds.crt /usr/local/share/ca-certificates """
""" sudo update-ca-certificates """
5 - Add your DC fqdn to dns server or hosts file.
6 - Check if your glpi server trust the DC certificate via wget (Enable https in IIS on DC for test).
wget https:// dc01.mylab.local /
""" --2022-12-17 00:33:18-- https:// dc01.mylab.local / """
""" Resolving dc01.mylab.local/ (dc01.mylab.local/)... 192.168.1.10 """
""" Connecting to dc01.mylab.local/ (dc01.mylab.local/)|192.168.1.10|:443... connected. """
""" HTTP request sent, awaiting response... 200 OK """
""" Length: 703 [text/html] """
""" Saving to: ‘index.html’ """
""" index.html 100%[=====================================>] 703 --.-KB/s in 0s """
""" 2022-12-17 00:33:18 (117 MB/s) - ‘index.html’ saved [703/703]"""
If GLPI server doesn't trust the DC certificate you well get errors like this:
""" Unable to locally verify the issuer's authority. """
""" To connect to dc01.mylab.local insecurely, use `--no-check-certificate'. """
7 - if wget test is okay, go forward with ldapsearch test.
""" ldapsearch -H ldaps://dc01.mylab.local:636 -x -W -D "CN=Glpi Admin,OU=Users,DC=mylab,DC=local" -b 'DC=mylab,DC=local' """
Enter LDAP Password:
8 - if ldapsearch test is okay, Restart Apache and go configure ldap authentication on GLPI.
""" systemctl restart apache2 """
Home > Configuration > Authentification > LDAP
First add you ldap source (Active directory server)
In Server field put : ldaps://mdc01.mylab.local
In Port field put : 636
Last edited by mmaslouh (2022-12-17 02:21:09)
Offline
Hi, very interesting, i am trying to configure too my GLPI to ldaps, but how did you find your .key ? from your .crt, or you have a .pfx and extract it with openssl?
I used powershell script to make a ssl certificate from AD.
thanks
Offline